OCR Warns of Threat of Insider Data Breaches

Cyberattacks on healthcare organizations have increased significantly in recent months. According to research conducted by the Ponemon Institute, criminal activity is now the leading cause of healthcare data breaches.

So far in 2016, 51 hacking incidents have been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Those hacks have resulted in the exposure and/or theft of the protected health information of 2,801,082 individuals. The OCR breach portal shows that 114,604,625 patients have had their PHI exposed as a result of hacking incidents since January 1, 2015, not including the 9.3 million records that were stolen from a U.S. health insurer last month by hacker The Dark Overlord.

While attacks by external malicious actors have resulted in the exposure and theft of a huge amount of patient data, healthcare organizations should not ignore the threat from within. The threat of insider data breaches is considerable and insider data breaches are fast becoming one of the biggest threats to healthcare organizations. Cyberattacks conducted by external malicious actors may also be facilitated by insiders or insider-driven.

OCR has responded to the growing threat of insider data breaches by issuing a reminder to covered entities to take action to prevent insider data theft and to reduce the risk of accidental data breaches caused by healthcare employees. OCR cites a recent survey conducted by HfS Research on behalf of Accenture which indicates 69% of organizations have experienced a data breach or attempted data breach by an insider.

Insider data breaches may not involve any malicious intent, although they do have potential to have a negative impact on patients. Earlier this year, an employee of the Jackson Health System was accused of stealing the health records of 24,000 individuals over a period of 5 years. OCR cited an example of a healthcare employee accessing the health records of 5,400 patients over a period of 4 years.

The OCR breach portal contains numerous examples of employees who have accessed or stolen healthcare data. One of the largest breaches occurred last year when an employee of Medical Informatics Engineering – a HIPAA business associate – stole the data of 3,900,000 individuals.

To reduce the risk of insider data breaches, healthcare organizations should conduct background checks on potential employees prior to providing them with access to sensitive patient data. Access to data should also be limited in accordance with the minimum necessary HIPAA standard.

Additional steps that can be taken to reduce the risk of insider data breaches are detailed below. These US-CERT best practices can help to ensure that ePHI is protected from insider threats.

reduce the risk of insider data breaches

Further information:       http://resources.sei.cmu.edu/asset_files/TechnicalReport/2012_005_001_34033.pdf

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.